Internal agents
Leaving the lab.
Agents now hold authority that used to require human approval. The control question shifts from whether the API call worked to who authorized what, under which policy, and whether you can prove it.
Policy-to-Proof
Monday morning, your auditor asks who authorized the agent that tried to export customer data on Friday night. This is what they get.
From policy to proof for agentic API access.
Define what an agent is allowed to do, enforce it at the gateway, and produce evidence humans and upstreams can trust.
Bind agent actions to human or platform authority; apply spend, scope, rate, and escalation limits before access; export the proof when your CISO, auditor, board, or incident reviewer asks what happened.
Evidence Pack
Signed lifecycle export preview
{
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"issued_at": "2026-05-09T14:22:31Z",
"expires_at": "2026-05-16T14:22:31Z",
"tenant": "acme-finance",
"subject": "worker-agent:invoice-reconciler",
"payment_context": {
"default_market": "internal_enterprise_agents",
"internal_rail": "existing_iam_service_account_or_api_key_billing",
"optional_external_rails": [
"x402",
"l402",
"api_key_billing",
"enterprise_ledger"
],
"note": "The same authority chain and receipts can cover an internal agent call, or a governed bridge call to an external paid API."
},
"authority_chain": [
{
"kind": "root_grant",
"subject": "dean-agent:finance-automation",
"issuer_kid": "satgate-mint-2026-05",
"caveats": [
"tenant=acme-finance",
"budget_usd<=25",
"delegation_depth<=1"
],
"receipt_hash": "sha256:7a2ca1b8d5e0a0d7c9545c7f8e6d03d12761b687a7a1f27c0dd7ed2e643a01b5"
},
{
"kind": "delegation",
"subject": "worker-agent:invoice-reconciler",
"parent": "dean-agent:finance-automation",
"caveats": [
"budget_usd<=3",
"no_customer_data_export",
"route_prefix=/v1/invoices"
],
"receipt_hash": "sha256:95f1c3df9d1f8d7a0e5b60b850f4b6013dd2f0e18496f9e5a8c0319fd51382bf"
}
],
"receipts": [
{
"receipt_id": "rcpt_mint_001",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "mint",
"ts": "2026-05-09T14:22:31Z",
"issuer_kid": "satgate-mint-2026-05",
"decision_reason": "root_capability_issued",
"result": "issued",
"caveats": [
"tenant=acme-finance",
"budget_usd<=25",
"delegation_depth<=1"
],
"receipt_hash": "sha256:7a2c..."
},
{
"receipt_id": "rcpt_delegation_002",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "delegation",
"ts": "2026-05-09T14:23:04Z",
"decision_reason": "scope_budget_and_depth_attenuated",
"result": "attenuated",
"receipt_hash": "sha256:95f1..."
},
{
"receipt_id": "rcpt_spend_search_003",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "spend",
"ts": "2026-05-09T14:23:18Z",
"route": "/v1/invoices/search",
"amount_usd": "0.18",
"payment_protocol": "internal_api",
"settlement": {
"rail": "internal_ledger",
"cost_center": "FIN-AP-042"
},
"decision_reason": "allowed_under_policy",
"result": "allowed",
"receipt_hash": "sha256:01d8..."
},
{
"receipt_id": "rcpt_spend_compare_004",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "spend",
"ts": "2026-05-09T14:24:02Z",
"route": "/v1/invoices/compare",
"amount_usd": "0.42",
"payment_protocol": "internal_api",
"settlement": {
"rail": "internal_ledger",
"cost_center": "FIN-AP-042"
},
"decision_reason": "allowed_under_policy",
"result": "allowed",
"receipt_hash": "sha256:a923..."
},
{
"receipt_id": "rcpt_paid_ocr_005",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "spend",
"ts": "2026-05-09T14:24:44Z",
"route": "/v1/invoices/ocr",
"mcp_tool": "document_ai.ocr",
"amount_usd": "0.18",
"payment_protocol": "x402",
"settlement": {
"chain": "solana",
"tx": "REDACTED_DEMO_SAMPLE",
"ms": 187
},
"decision_reason": "allowed_under_policy",
"result": "allowed",
"receipt_hash": "sha256:deb5..."
},
{
"receipt_id": "rcpt_denial_scope_006",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "denial",
"ts": "2026-05-09T14:25:08Z",
"decision_reason": "scope_violation:no_customer_data_export",
"reason_code": "scope_violation:no_customer_data_export",
"result": "blocked",
"receipt_hash": "sha256:9b0f..."
},
{
"receipt_id": "rcpt_denial_budget_007",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "denial",
"ts": "2026-05-09T14:25:33Z",
"decision_reason": "budget_exhausted",
"reason_code": "budget_exhausted",
"result": "blocked",
"receipt_hash": "sha256:c3f6..."
},
{
"receipt_id": "rcpt_revocation_008",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "revocation",
"ts": "2026-05-09T14:26:11Z",
"revoked_by": "security-admin",
"decision_reason": "capability_revoked_by_security_admin",
"result": "revoked",
"receipt_hash": "sha256:37d1..."
},
{
"receipt_id": "rcpt_post_revoke_denial_009",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "post_revoke_denial",
"ts": "2026-05-09T14:26:16Z",
"decision_reason": "capability_revoked",
"reason_code": "capability_revoked",
"result": "blocked",
"receipt_hash": "sha256:8b95..."
},
{
"receipt_id": "rcpt_export_010",
"evidence_pack_id": "ep_demo_2026_05_09_001",
"policy_version": "pol_invoice_reconciliation@2026-05-09",
"type": "export",
"ts": "2026-05-09T14:26:31Z",
"decision_reason": "evidence_pack_exported",
"result": "evidence_pack_issued",
"receipt_hash": "sha256:e1b3..."
}
],
"chain_root": "sha256:f04ed8430b11c8975cc5ef35919ee078fc4cb166cd8d611ed0d94b7da69df09d",
"signature": "ed25519:REDACTED_DEMO_SAMPLE_DO_NOT_VERIFY"
}Inline hashes are shortened for readability. Full hashes, payment rail context, ed25519 signature, and verification block are in the downloadable JSON.
Internal first, rail-aware when needed
Built for internal enterprise agents. Extends across paid external calls.
Most enterprise agents do not need a wallet to call internal APIs. They need bounded delegated authority, budget controls, revocation, and audit evidence around the credentials they already have.
When that same internal workflow crosses into an external paid API, SatGate keeps the proof intact: internal scope and delegation, plus spend attribution above x402 rails, L402, API-key billing, or enterprise ledgers. Payment proves value moved. SatGate proves the agent was allowed to move it.
Why now
Agents are moving from demos to workflows. Spend rails are arriving with them.
Enterprises need proof of authority before those rails scale. Payment rails authorize value movement. SatGate authorizes behavior and preserves proof. Payment proves value moved. SatGate proves the agent was allowed to move it.
Paid calls
Becoming part of the path.
x402, L402, AgentCore Payments, Pay.sh, and related rails make it easier for agents to call paid services. SatGate adds policy, limits, evidence, and review around that spend path.
Enterprise scale
Authority before scale.
CISOs, platform teams, and FinOps leaders need more than logs after the fact. They need evidence that each action matched policy before agents trigger budget, data access, or external execution.
SatGate
Sits above the rails.
Every authority decision is recorded — payment or not — so review and audit do not depend on which protocol the agent used.
The contrast
Logs tell you something happened. Evidence proves who had authority.
Other gateways
200/402 status codes in a log.
You reconstruct authority from six systems, three hours of joins, shared API keys, cloud invoices, and dashboard screenshots — with no chain-of-custody.
SatGate
Signed mint receipt, attenuation chain, spend ledger, denial reason, revocation proof — one export.
The Evidence Pack is not a logging afterthought. It is generated by the same authority path that enforces the decision.
Six-question evidence framework
Answer the audit questions after the invoice-reconciler acts.
The Evidence Pack bundles these artifacts into one export instead of sending teams on a forensics project across logs, invoices, and gateway dashboards. Authority-chain entries preserve lineage; matching receipts preserve the allow, deny, pay, delegate, and revoke sequence, so auditors can verify both structure and chronology.
Who authorized this?
Mint receipt
Identity claim, policy match, issuer, timestamp, and the capability minted for the invoice-reconciler worker.
Which agent got access?
Capability token + delegation chain
The root capability, parent agent, invoice-reconciler worker, and every attenuation in the handoff path.
What exactly could it do?
Scope + caveat record
Routes, tools, tenant boundary, expiry, budget, delegation depth, and revocation status at issue time.
What did it spend?
Per-token spend ledger
Request-path and MCP-tool attribution by worker, token, tenant, route, amount, and policy mode.
What was denied?
Denial receipt
A policy, budget, scope, tenant, or revocation reason code attached to the blocked invoice call.
Can we prove revocation worked?
Revocation receipt + post-revoke denial
The revocation receipt and the first post-revoke denial receipt after access ended, tied to the same authority chain.
Maps to audit controls
Audit-fluent, not just audit-flavored.
The Evidence Pack gives security and audit teams a starting control map instead of making them translate raw gateway logs without receipt hashes, policy versions, and decision reasons.
Mint receipt — US SOC 2
SOC 2 CC6.1
Logical access provisioning tied to identity, policy, issuer, and timestamp.
Mint receipt — ISO 27001
ISO 27001 A.9.2.1
User registration and de-registration evidence for agent authority issuance.
Delegation chain
SOC 2 CC6.3 / NIST AC-3
Least-privilege attenuation across parent and worker authority.
Revocation receipt
SOC 2 CC6.2/CC6.3 / NIST AC-2(3)
Deprovisioning event plus first post-revoke denial trail.
Spend ledger
SOC 2 CC1.4 / FinOps attribution
Governance evidence for who created spend, on which route/tool, under which token.
Who receives the pack
One export, three enterprise conversations.
“I get the authority trail in one export instead of opening a forensics ticket.”
“Revocation isn’t a promise — it’s a signed receipt followed by a denied call.”
“Spend is attributed to the agent, the token, and the route — not a shared API key.”
Want this for your stack?
Bring an API, an agent workflow, and the evidence your auditor already asks for.
Demo path
Mint → Delegate → Spend → Deny → Revoke → Export.
The demo ends on the exported Evidence Pack: one artifact proving authority, spend, denial, and revocation across the invoice-reconciler lifecycle. Even producing the Evidence Pack is itself an auditable event.
Read the six-step lifecycle below, or watch the 90-second cut.
1
Mint
invoice-reconciler gets a scoped macaroon capability with tenant, budget, route, and expiry caveats.
2
Delegate
The parent finance agent hands narrower authority to the worker; the chain is preserved.
3
Spend
The worker calls invoice APIs or MCP tools under budget; the ledger updates by token and path.
4
Deny
Export and over-budget calls return reason-coded receipts before data or spend escapes.
5
Revoke
Security kills the worker capability without rotating every upstream provider key.
6
Export
The lifecycle becomes one Evidence Pack a CISO, auditor, or incident reviewer can read.
Evidence Pack walkthrough
See how agent authority becomes audit-ready proof.
Watch a governed agent receive scoped authority, delegate work, hit policy decisions, and export a signed Evidence Pack your security and audit teams can review.
Buyer promise
SatGate lets enterprises delegate authority to AI agents without permanent credentials, unlimited spend, or unobservable authority — and proves every step.